Advanced Hunting
Hi I have set up Defender for Endpoint on our 365 tenant and I can see our devices within the O365 security portal. I want to now report on USB activity on our devices but when I run the following under advanced hunting I get no results but I know there must be some data. I am starting to think I don't have the correct licence? I have O365 E3 with Defender for End Point. Do I need an E5 for advanced hunting: Alistair //Get the list the USB devices attached to a device in the past week. let myDevice = "<insert your device ID>"; DeviceEvents | where ActionType == "UsbDriveMount" and Timestamp > ago(7d) and DeviceId == myDevice | extend ProductName = todynamic(AdditionalFields)["ProductName"], SerialNumber = todynamic(AdditionalFields)["SerialNumber"], Manufacturer = todynamic(AdditionalFields)["Manufacturer"], Volume = todynamic(AdditionalFields)["Volume"] | summarize lastInsert = max(Timestamp) by tostring(ProductName), tostring(SerialNumber), tostring(Manufacturer), tostring(Volume)Manage USB Devices with Intune/Endpoint Manager
Hi We have just rolled out our new laptops using autopilot and managed through intune. I want to use EndPoint Manager to create some prevent/allow rules to manage usb devices i.e. I want to block everything but allow exceptions i.e. all keyboards, mice etc but only particular models of phones or usb storage devices. I thought of using "Allow installation of devices that match any device id" and the "Prevent installation of devices not described" This doesn't seem to block drives that are already installed. Is there are way of doing this? Thanks Alistair
